PingFederate Server

Specifying a source location

You can indicate on the Source Location tab where PingFederate should look for user records in the datastore.

About this task

The same location can be used to retrieve user-group distinguished names (DNs) for maintaining corresponding groups at the service provider (SP).

Screen capture illustrating the Source Location tab in the administrative console.

After specifying the required base DN, you can provision users, and groups when applicable, based on group membership information or LDAP search results.

Groups provisioning is supported for System for Cross-domain Identity Management (SCIM) and the Google Apps Connector (version 2.0 and higher) but might not be supported for other software as a service (SaaS) Connectors. If not, the associated fields under Groups on the Source Location tab are inactive. Support for the feature might become available in future SaaS Connector releases. See the documentation in your add-on distribution package.

Steps

  1. Go to Applications → Integration → SP Connections → Configure Channels → Channel. In the Base DN field, enter the base DN where user records are stored.

    PingFederate looks only at this node level, or below it, for user accounts and groups (when applicable) that need to be provisioned based on the conditions set in the next step.

  2. Specify group membership information or an LDAP filter to search for users, and groups when applicable, to be provisioned. For more information, see the following table.

    Object Field description

    Users

    Group DN

    The distinguished name (DN) of a group in the user repository whose member groups should be provisioned.

    Optionally, select the Nested Search check box to include users that are members of the specified group through nested group membership. Nested group membership is preserved for SCIM provisioning, and SaaS provisioning if the vendor and the SaaS Connectors support hierarchical structure in groups.

    The Nested Search feature is available when PingDirectory, Microsoft Active Directory, Oracle Unified Directory, or Oracle Directory Server is selected as the source user repository. For more information, see Identifying the source datastore.

    Filter

    An LDAP search filter that returns user objects representing the users that should be provisioned.

    For information about LDAP filters, see your LDAP documentation. You might need to escape any special characters.

    The Group DN field is ignored when a Filter field value is configured.

    If you are using Active Directory, the filter must include objectClass=user for the provisioner to retrieve users.

    Groups (when applicable)

    Group DN

    The DN of the group in the user repository that should be provisioned.

    Optionally, select the Nested Search check box to include groups that are members of the specified group through nested group membership. Nested group membership is preserved for SCIM provisioning, and SaaS provisioning if the vendor and the SaaS Connectors support hierarchical structure in groups.

    The Nested Search feature is available when PingDirectory, Microsoft Active Directory, Oracle Unified Directory, or Oracle Directory Server is selected as the source user repository. For more information, see Identifying the source datastore.

    Filter

    An LDAP search filter that returns group objects representing the groups that should be provisioned.

    For information about LDAP filters, refer to your LDAP documentation. You might need to escape any special characters.

    The Group DN field is ignored when a Filter field value is configured.

    If both the Group DN field and the Filter field are blank, no groups will be provisioned.

  3. Click Next.